Privacy Law Update

On November 1, 2018, the federal government amended the Personal Information Protection and Electronic Documents Act (PIPEDA) to add new obligations for organizations handling personal information through their commercial activities.  Boards of condominium corporations should be aware of some of the corporation’s activities can be construed as commercial, thus placing condo corporations within the scope of PIPEDA.  Deliberate failure to observe the amendments under PIPEDA may result in fines of up to $100,000 to the Corporation, as well as potential personal liability for board members if they do not act to address such failures.

The 2018 amendments include:

·         Reporting data breaches to the Office of the Privacy Commissioner of Canada (OPCC).  Reporting to the OPCC is only for security breaches where there is a real risk of significant harm to affected individuals.  The report would include information like the number of affected individuals, when the breach happened, the circumstances and nature of the breach, security safeguards in place, the personal information breached, and next steps.

·         Notifying affected individuals and organizations.  Organizations must notify affected individuals as soon as possible after determining that there was a real risk of significant harm.  Notice to the individuals need to be direct and include information like the circumstances and the breach date, what personal information was accessed, and how to obtain further information.  Organizations also have an obligation to notify other organizations if it would reduce the risk of harm or mitigate the harm from the breach.  If you are subject to the EU’s GDPR, then you may need to observe specific timelines for notification.

·         Keeping records.  Organizations must keep records on each security breach regardless of whether there was a real risk of significant harm.  The records should include information like the breach date, general description, or whether the breach was reported to the OPCC.

An eye to privacy law is becoming increasingly important given Innovation, Science and Economic Development Canada’s announcement this week of plans to develop a Digital Charter, which promises serious fines for non-compliance, penalties for re-identifying anonymized data, and order-making powers for the OPCC.  Thus, even though condominium corporations are regulated primarily under Ontario condominium law, boards of such corporations should, at a minimum, ensure that the corporation develop an adequate data breach plan, provide appropriate employee training, and maintain an updated privacy policy, in order to reduce the risk of the hefty fines relating to non-compliance with PIPEDA. 

For further information or guidance, contact MDK's Kimberley Chew Leung at kimberley@businesslawadvice.com